Abstract: Web applications have a variety of security vulnerabilities which can be exploited when large number of Web applications are widely used. Among these security vulnerabilities, the Therefore, in order to detect XSS vulnerabilities in Web applications more effectively, this paper presented a method that combines the static code analysis based on Tainted mode model with the sanitizing unit dynamic testing which includes the definition of the source rules, the sanitizing rules and the receiving rules of XSS vulnerabilities and the description of the dynamic detection algorithm for sanitizing unit. Analysis shows that this method can effectively find XSS vulnerabil- ides in Web applications.

Key words: XSS vulnerability, Fainted mode model, Sanitizing unit, Static analysis, Dynamic testing